From 68bb79a2b6ca2d1205445a581e3101e6d6e80e4e Mon Sep 17 00:00:00 2001 From: Andreas Zweili Date: Wed, 17 Apr 2024 20:02:56 +0200 Subject: [PATCH] Put attic behind a proxy --- home-manager/profiles/work-wsl.nix | 2 ++ modules/misc/common/default.nix | 2 +- modules/services/attic/default.nix | 13 ++++++++++--- modules/services/haproxy/default.nix | 5 +++++ 4 files changed, 18 insertions(+), 4 deletions(-) diff --git a/home-manager/profiles/work-wsl.nix b/home-manager/profiles/work-wsl.nix index fec8d23..9d6497b 100644 --- a/home-manager/profiles/work-wsl.nix +++ b/home-manager/profiles/work-wsl.nix @@ -47,11 +47,13 @@ "https://nix-community.cachix.org" "https://cache.nixos.org" "https://devenv.cachix.org" + "https://cache.zweili.org/prod" ]; trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw=" + "prod:46pIZhqoueg1P4IPp8ciArCUgSXWJZAq63CwLTQN/uA=" ]; }; }; diff --git a/modules/misc/common/default.nix b/modules/misc/common/default.nix index adc7af6..f5c3327 100644 --- a/modules/misc/common/default.nix +++ b/modules/misc/common/default.nix @@ -141,7 +141,7 @@ in "https://nix-community.cachix.org" "https://cache.nixos.org" "https://devenv.cachix.org" - "http://10.7.89.150:8080/prod" + "https://cache.zweili.org/prod" ]; trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" diff --git a/modules/services/attic/default.nix b/modules/services/attic/default.nix index 5930ab1..fbdab2b 100644 --- a/modules/services/attic/default.nix +++ b/modules/services/attic/default.nix @@ -10,6 +10,7 @@ let cfg = config.services.az-attic-server; cacheStorage = "/mnt/binary-cache"; atticPort = 8080; + atticDomain = "cache.zweili.org"; attic-garbage-collect = pkgs.writeShellScriptBin "attic-garbage-collect" '' ${ inputs.attic.packages.${system}.attic-server @@ -42,14 +43,20 @@ in attic-garbage-collect ]; - networking.firewall.allowedTCPPorts = [ atticPort ]; + networking.firewall.allowedTCPPorts = [ 443 ]; + + services.az-nginx-proxy = { + enable = true; + domain = atticDomain; + port = atticPort; + }; services.atticd = { enable = true; credentialsFile = config.age.secrets.atticEnv.path; settings = { listen = "[::]:${toString atticPort}"; - api-endpoint = "http://10.7.89.150:${toString atticPort}/"; - allowed-hosts = [ ]; + api-endpoint = "https://${atticDomain}/"; + allowed-hosts = [ atticDomain ]; storage = { type = "local"; path = "${cacheStorage}"; diff --git a/modules/services/haproxy/default.nix b/modules/services/haproxy/default.nix index ee8ae5a..90a46a7 100644 --- a/modules/services/haproxy/default.nix +++ b/modules/services/haproxy/default.nix @@ -44,6 +44,7 @@ in redirect scheme https code 301 if { hdr(host) -i nextcloud.2li.ch } !{ ssl_fc } redirect scheme https code 301 if { hdr(host) -i rss.zweili.org } !{ ssl_fc } redirect scheme https code 301 if { hdr(host) -i rss-bridge.zweili.org } !{ ssl_fc } + redirect scheme https code 301 if { hdr(host) -i cache.zweili.org } !{ ssl_fc } redirect scheme https code 301 if { hdr(host) -i www.2li.ch } !{ ssl_fc } redirect scheme https code 301 if { hdr_dom(host) -i 2li.ch } !{ ssl_fc } @@ -62,6 +63,7 @@ in use_backend nextcloud_server if { req_ssl_sni -i nextcloud.2li.ch } use_backend rss_server if { req_ssl_sni -i rss.zweili.org } use_backend rss_server if { req_ssl_sni -i rss-bridge.zweili.org } + use_backend cache_server if { req_ssl_sni -i cache.zweili.org } use_backend proxy if { req_ssl_sni -i www.2li.ch } use_backend proxy if { req_ssl_sni -i 2li.ch } @@ -83,6 +85,9 @@ in backend proxy mode tcp server server1 127.0.0.1:4433 check + backend cache_server + mode tcp + server server1 10.7.89.150:443 check ''; }; };